Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support file-based plugin configuration in catalog with hot reload #5165

Closed
azdagron opened this issue May 21, 2024 · 4 comments · Fixed by #5166
Closed

Support file-based plugin configuration in catalog with hot reload #5165

azdagron opened this issue May 21, 2024 · 4 comments · Fixed by #5166
Assignees
@azdagron
Labels
priority/backlog Issue is approved and in the backlog
Milestone
1.10.0

Comments

@azdagron
Copy link
Member

Plugin configuration today happens once, when the plugin is loaded by the catalog. The plugin configuration data is provided statically by the contents of the plugin_data section of the plugin config.

Several use cases exist where it would be convenient to change plugin configuration at runtime (#4390).

We can support this generically in the catalog system by introducing a new plugin_data_file setting. This setting would be mutually exclusive with plugin_data. It would point to a file on disk where the plugin configuration would live.

For example, this is how a plugin configuration looks today:

Plugins {
    NodeAttestor "k8s_psat" {
         plugin_data = {
            some_setting = "foo"
            ...
        }
    }
    ...
}

And this is how a plugin configuration would look using this option:

Plugins {
    NodeAttestor "k8s_psat" {
         plugin_data_file = "k8s_psat.conf"
    }
    ...
}

And the plugin.conf file:

some_setting = "foo"

Either on some interval, or in response to a signal or something, the catalog would:

  1. reload the plugin configuration from the file
  2. if changed, push the new configuration into the plugin via the config service
  3. Log the results.

The Configure RPC is already documented to indicate that implementations should be able to respond to Configure calls executed concurrently with other RPCs. Built-in plugins are all written to expect this.
@azdagron
Copy link
Member Author

Outstanding question is how do we want to trigger reloading. Signal? Timer?

This was referenced May 21, 2024
Closed
Closed
Closed
Closed
Closed
Closed
@azdagron azdagron self-assigned this May 21, 2024
@azdagron azdagron added this to the 1.10.0 milestone May 21, 2024
@azdagron azdagron added the priority/backlog Issue is approved and in the backlog label May 21, 2024
@azdagron
Copy link
Member Author

I have a prototype implementation I'll dust off for this. Just need to write up some tests.

@amartinezfayo amartinezfayo mentioned this issue May 21, 2024
Closed
@edwbuck
Copy link
Contributor

edwbuck commented May 21, 2024

For clarification, the "k8s_psat.conf" file in the example above would be HCL (version 1) correct?

If we are establishing plugin loading policy, I propose that such files match whatever the server loads (HCL 1.0 at the moment).

@azdagron
Copy link
Member Author

azdagron commented May 21, 2024
edited
Loading

By convention, that's correct. And certainly what will be expected for all built-in plugins for the foreseeable future. Technically, SPIRE Core would no longer care as long as the configuration was utf-8 text based, since this data isn't parsed alongside the main HCL config. The data would be loaded from file, turned into a string, and then otherwise passed unmodified/unparsed into the plugin. So external plugin authors could do what they wanted 🤷

@azdagron azdagron mentioned this issue May 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azdagron azdagron

Labels
priority/backlog Issue is approved and in the backlog
Projects
None yet
Milestone
1.10.0
Development

Successfully merging a pull request may close this issue.

Plugin reconfiguration support azdagron/spire
2 participants
@edwbuck @azdagron